[logs] Eventlog to syslog

Andrew Hay andrewsmhay at gmail.com
Fri Feb 29 18:55:24 PST 2008 

If Microsoft feels that the 'cross-log query' feature nails the SIEM problem
-- we disagree.

Count me in your 'we' group.

It opens up some possibilities for very small shops but by itself has
limited value in even a medium size install.

Yep, sure does.

Limitations

1) All machines must run Vista

You sure? It reads like Windows 2008 Servers will also have this capability.

6) Its an MS-standard

Honestly, is that a bad thing? So what if it's a Microsoft standard, a Cisco
standard, or a some other standard as long as it's implemented correctly.

On 29/02/2008, A Ananth <ananth802 at yahoo.com> wrote:
>
>
> --- Andrew Hay <andrewsmhay at gmail.com> wrote:
>
> > I suspect that, with the (future) adoption of
> > Windows 2008 and the new
> > cross-log query feature in the event log (that
> > allows you to correlate logs
> > from multiple systems), Microsoft may finally have
> > put the nail in the
> > coffin that is this issue (at least in their eyes).
> > I'll be honest, I
> > haven't dug into the new event log due to other
> > things on my plate, but I
> > have a feeling that this new event log rewrite is
> > going to be positioned as
> > a SIEM replacement for Windows based events.
>
>
>
> If Microsoft feels that the 'cross-log query' feature
> nails the SIEM problem -- we disagree. It opens up
> some possibilities for very small shops but by itself
> has limited value in even a medium size install.
>
> Limitations
> 1) All machines must run Vista
> 2) Collector is a workstation
> 3) Event automation is local to each system
> 4) No central policy mgt console
> 5) Updating each endpoint system is manual effort
> 6) Its an MS-standard
>
> We explored the Vista event log in a webinar last year
> with Nelson Ruest. Its online (registration required)
> at
> http://www.prismmicrosys.com/webinarDetails.php?id=10&a=view
>
> Disclaimer: I'm with Prism, a SIEM vendor
>
> --
> A Ananth
> ananth802 at yahoo.com
>
>
> --
> A N Ananth
> ananth802 at yahoo.com
>



-- 
Andrew Hay
blog: http://www.andrewhay.ca
email: andrewsmhay || at || gmail.com
LinkedIn Profile: http://www.linkedin.com/in/andrewhay
OSSEC Book: http://preview.tinyurl.com/2oy63f
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20080229/6b2fd382/attachment.html

More information about the LogAnalysis mailing list